_____ ____________ __ __ _________
/ _/ | / / ____/ __ \ / // /< / ____/
/ // |/ / /_ / / / / / // /_/ /___ \
_/ // /| / __/ / /_/ / /__ __/ /___/ /
/___/_/ |_/_/ \____/ /_/ /_/_____/
--- Web Application Security ---
This course will cover the ins and outs of web application security from the perspectives of the developer, administrator, and attacker. We will cover attacks from the all too common Cross-Site Scripting (XSS) attack through Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), all the way to more advanced topics such as hash length extension attacks, cookie tossing, deserialization, and specialized vulnerabilities against common web frameworks.
The goals of this course center around familiarizing students with how to recognize a possible vulnerability, write a proof-of-concept, and provide helpful remediation so that a developer can properly mitigate the issue. The emphasis will be on hands-on learning and the students will be expected to think creatively as they face common defenses and work with unfamiliar frameworks and languages.
Grade breakdown:
- midterm: 40%
- hw: 60%
Late penalty:
- 10% daily (24hrs from time due)
- stops at 50% deduction
- 4 late days to use
- Bitsync key: BVJ3RLXHMCWW5AFAVNMB4RRVOLWW72UD7
- Suggested reading: Web Application Hacker's Handbook
- introduction
- class overview
- threat modeling
- tools setup
- capturing traffic
- how the internet works
- client to server communications
- browser basics
- required
- none
- recommended
- read WAHH chapter 12
- read WAHH chapter 3
- cross-site scripting (XSS)
- how it works
- why it's so common
- why it's bad
- how to find it
- how to mitigate
- reflective XSS
- stored XSS
- DOM XSS
- XSS demos
- practice: http://xss-quiz.int21h.jp/
- character encoding
- unicode security
- punycode domains
- filter bypass techniques
- no spaces
- no script tag
- XSS via images
- encoding galore
- other weirdness
- do stuff
- filter bypassing
- required
- XSS challenges
- pentest report
- due next thursday
- advanced payloads
- exfiltrating cookies
- inducing user action
- fake login forms
- regular expressions
- guest lecture
- puzzle
- required
- special XSS payloads
- due tuesday after next
- recommended
- reading on CSRF and Clickjacking
- WAHH Chapter 13 section on "Inducing User Action" (501-515)
- http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
- reading on CSRF and Clickjacking
- go over last weeks hw
- CSRF
- how it works
- why it's bad
- how to find it
- how to mitigate
- puzzle solution
- how Tor works
- CSRF demo
- Clickjacking
- how it works
- why it's bad
- how to mitigate
- special tactics
- Clickjacking demo
- required
- CSRF challenges
- clickjacking challenges
- pentest report
- due next thursday
- recommended
- read WAHH chapter 9
- SQL injection
- how it works
- why it's bad
- how to find it
- how to mitigate
- how to pull data
- special tactics
- SQLi demos
- SQL practice
- lockpicking
- SQL injection practice
- OWASP Broken Web Application
- none
- Advanced SQL injection techniques
- class canceled
- keyloggers
- required 1
- SQL injection challenges
- pentest report
- due next tuesday
- recommended
- read WAHH chapter 6
- read WAHH chapter 7
- session fixation
- session invalidation issues
- timing attacks
- user enumeration
- insufficient entropy
- metasploit
- authentication 2.0
- 2 factor auth schemes
- single signon
- required
- advanced SQL challenges
- pentest report
- due next thursday
- cryptography
- public/private key
- forward secrecy
- hashes
- stream vs block cipher
- algorithm modes: ECB, CBC, others
- bitcoin
- canceled
- none
- canceled
- business logic attacks
- hash length extension attacks
- local file inclusion attacks
- demo
- required
- super secure bank pentest
- due next thursday
- pentest report
- recommended
- read WAHH Chapter 10 section "Manipulating File Paths"
- read WAHH Chapter 11 section "Example 12: Racing Against the Login"
- mass assignment attacks
- deserialization attacks
- race conditions
- testing techniques
- review
- buffer overflows
- online challenges
- required
- final
- starts Friday June 5th 5:30pm (17:30) PST
- due Tuesday June 9th at 11:45am (11:45) PST